Repudiation is the act of refuse authoring of something that happened. [[Category:FIXME|I don't understand what that sentence is trying to say]]A repudiation attack happens when an application or system does not adopt controls to properly track and log users actions, thus permitting malicious manipulation or forging the identification of new actions.

+

A repudiation attack happens when an application or system does not adopt controls to properly track and log users' actions, thus permitting malicious manipulation or forging the identification of new actions.

This attack can be used to change the authoring information of actions executed by a malicious user in order to log wrong data to log files. Its usage can be extended to general data manipulation in the name of others, in a similar manner as spoofing mail messages.

This attack can be used to change the authoring information of actions executed by a malicious user in order to log wrong data to log files. Its usage can be extended to general data manipulation in the name of others, in a similar manner as spoofing mail messages.

If this attack takes place, the data stored on log files can be considered invalid or misleading.

If this attack takes place, the data stored on log files can be considered invalid or misleading.

Line 13:

Line 15:

== Risk Factors==

== Risk Factors==

TBD

TBD

−

[[Category:FIXME|need content]]

+

==Examples ==

==Examples ==

−

Consider a web application that makes access control and authorization based on SESSIONID, but registers user actions based on a user parameter defined on the Cookie header, as follows:

+

Consider a web application that makes access control and authorization based on ''JSESSIONID'', but registers user actions based on a ''user'' parameter defined on the Cookie header, as follows:

Latest revision as of 11:23, 19 December 2013

Description

A repudiation attack happens when an application or system does not adopt controls to properly track and log users' actions, thus permitting malicious manipulation or forging the identification of new actions.
This attack can be used to change the authoring information of actions executed by a malicious user in order to log wrong data to log files. Its usage can be extended to general data manipulation in the name of others, in a similar manner as spoofing mail messages.
If this attack takes place, the data stored on log files can be considered invalid or misleading.

Risk Factors

TBD

Examples

Consider a web application that makes access control and authorization based on JSESSIONID, but registers user actions based on a user parameter defined on the Cookie header, as follows: